Month: June 2013

We didn't pay as much attention to the new proposals in the EU to ratchet up penalties for "cybercrime" in part because they came out just about the same time that the NSA surveillance information started leaking. However, someone who shall remain anonymous passed along to us a "group briefing" document from the EU Parliament team that came up with the latest cybercrime directive, which highlights a bit of the approach and some of the problems. The document is actually from a year ago, but it's definitely reflected in the final product. The entire focus of the document is on harsher penalties, even though there's no evidence that such penalties do any good or act as a deterrent. And, while the document does note that protecting "white hat hackers" is important for achieving "cybersecurity," apparently they had a lot of trouble agreeing on what to do to protect them:

As regards protecting "white hat hackers" as integral part of the internet's immune system we managed to achieve a very weak recital (6a bis) compared to the initial LIBE orientation vote. It is made clear that reporting of threats, risks, and vulnerabilities is crucial and needs incentives. The crucial last sentence, however, is not clear enough and far away from creating obligations for member states... Therefore there is no serious protection for white hat hackers who find vulnerabilities in other peoples' information systems and report them. we did howeveR start a debate at all and getting the whole EP united behind this.

[....] We managed to get a number of important safeguards in, and the fundamental debate on better IT security is opened. However the direct is in many ways worse than the old framework decision. Higher penalties and the criminalisation of more practices and even tools not only mainly symbolic, but even risks criminalising well-intended "white hat hackers" and curious teenagers. The problem was Council and a too weak negotiation strategy of the rapporteur at the very end.

From the details of the directive that came out, it appears that not many of these flaws have been fixed. Jan Philipp Albrecht, who was a part of the effort, clearly is not at all happy with how it came out:

But Albrecht attacked the directive, saying, "The legislation confirms the trend towards ever stronger criminal sanctions despite evidence, confirmed by Europol and IT security experts, that these sanctions have had no real effect in reducing malicious cyber attacks.

"Top cyber criminals will be able to hide their tracks, whilst criminal law and sanctions are a wholly ineffective way of dealing with cyber attacks from individuals in non-EU countries or with state-sponsored attacks.

"Significantly, the legislation fails to recognise the important role played by 'white hat hackers' in identifying weaknesses in the internet's immune system, with a view to strengthening security.

This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals.

"The result will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems."

The equation here is pretty simple. Simply ratcheting up punishment does little to stop malicious hacking, as hackers rarely expect to get caught. So it does little to nothing to actually helping to stop online crime. What does help is having security researchers and others exposing and fixing vulnerabilities. But, if you create massive new penalties for "cybercrime" and make the rules amorphous enough that those security researchers may get charged under them for trying to help, you do create fewer incentives for them to actually help.

End result: more malicious hacking, and fewer people willing to actually help protect and fix vulnerabilities.

That's not good for anyone. But, it fits with the technically clueless "law enforcement above all else" mentality we see too often in government these days, which seems to think that "great enforcement" and "greater punishment" is the answer to any wrong, no matter how much evidence suggests that's untrue.

We didn't pay as much attention to the new proposals in the EU to ratchet up penalties for "cybercrime" in part because they came out just about the same time that the NSA surveillance information started leaking. However, someone who shall remain anonymous passed along to us a "group briefing" document from the EU Parliament team that came up with the latest cybercrime directive, which highlights a bit of the approach and some of the problems. The document is actually from a year ago, but it's definitely reflected in the final product. The entire focus of the document is on harsher penalties, even though there's no evidence that such penalties do any good or act as a deterrent. And, while the document does note that protecting "white hat hackers" is important for achieving "cybersecurity," apparently they had a lot of trouble agreeing on what to do to protect them:

As regards protecting "white hat hackers" as integral part of the internet's immune system we managed to achieve a very weak recital (6a bis) compared to the initial LIBE orientation vote. It is made clear that reporting of threats, risks, and vulnerabilities is crucial and needs incentives. The crucial last sentence, however, is not clear enough and far away from creating obligations for member states... Therefore there is no serious protection for white hat hackers who find vulnerabilities in other peoples' information systems and report them. we did howeveR start a debate at all and getting the whole EP united behind this.

[....] We managed to get a number of important safeguards in, and the fundamental debate on better IT security is opened. However the direct is in many ways worse than the old framework decision. Higher penalties and the criminalisation of more practices and even tools not only mainly symbolic, but even risks criminalising well-intended "white hat hackers" and curious teenagers. The problem was Council and a too weak negotiation strategy of the rapporteur at the very end.

From the details of the directive that came out, it appears that not many of these flaws have been fixed. Jan Philipp Albrecht, who was a part of the effort, clearly is not at all happy with how it came out:

But Albrecht attacked the directive, saying, "The legislation confirms the trend towards ever stronger criminal sanctions despite evidence, confirmed by Europol and IT security experts, that these sanctions have had no real effect in reducing malicious cyber attacks.

"Top cyber criminals will be able to hide their tracks, whilst criminal law and sanctions are a wholly ineffective way of dealing with cyber attacks from individuals in non-EU countries or with state-sponsored attacks.

"Significantly, the legislation fails to recognise the important role played by 'white hat hackers' in identifying weaknesses in the internet's immune system, with a view to strengthening security.

This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals.

"The result will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems."

The equation here is pretty simple. Simply ratcheting up punishment does little to stop malicious hacking, as hackers rarely expect to get caught. So it does little to nothing to actually helping to stop online crime. What does help is having security researchers and others exposing and fixing vulnerabilities. But, if you create massive new penalties for "cybercrime" and make the rules amorphous enough that those security researchers may get charged under them for trying to help, you do create fewer incentives for them to actually help.

End result: more malicious hacking, and fewer people willing to actually help protect and fix vulnerabilities.

That's not good for anyone. But, it fits with the technically clueless "law enforcement above all else" mentality we see too often in government these days, which seems to think that "great enforcement" and "greater punishment" is the answer to any wrong, no matter how much evidence suggests that's untrue.

Not only is there a massive difference in what's being said, but also in how it's being said. The Candidate Obama spoke clearly, directly strongly and without equivocation about protecting civil liberties and not giving up our freedoms. President Obama's speech, on the other hand, sounds weak, vague and unpresidential in comparison. In the first one, he makes these clear, declarative announcements:

This administration puts forth a false choice between the liberties we cherish and the security we provide.

But as President, he says (while rolling his eyes -- the video is incredible):

You can't have 100% security... and then also have 100% privacy and zero inconvenience.... We're, we're going to have to make some choices.

As a candidate:

I will provide our intelligence and law enforcement agencies the tools they need to take out the terrorists without undermining our Constitution and our freedoms. That means no more illegal wiretapping of American citizens. That means no more national security letters to spy on Americans who are not suspected of committing a crime. No more tracking citizens who do no more than protest a misguided war. No more ignoring the law when it is inconvenient. That is not who we are. That's not what is necessary to defeat the terrorists.

As President, he talks vaguely about how his team made an "assessment" and that these programs keep people safe, and "in the abstract" people might claim these programs are "Big Brother" but he thinks there's a "balance" to be struck. It's funny how different dictatorial surveillance powers look when you're the guy in charge of them.

Not only is there a massive difference in what's being said, but also in how it's being said. The Candidate Obama spoke clearly, directly strongly and without equivocation about protecting civil liberties and not giving up our freedoms. President Obama's speech, on the other hand, sounds weak, vague and unpresidential in comparison. In the first one, he makes these clear, declarative announcements:

This administration puts forth a false choice between the liberties we cherish and the security we provide.

But as President, he says (while rolling his eyes -- the video is incredible):

You can't have 100% security... and then also have 100% privacy and zero inconvenience.... We're, we're going to have to make some choices.

As a candidate:

I will provide our intelligence and law enforcement agencies the tools they need to take out the terrorists without undermining our Constitution and our freedoms. That means no more illegal wiretapping of American citizens. That means no more national security letters to spy on Americans who are not suspected of committing a crime. No more tracking citizens who do no more than protest a misguided war. No more ignoring the law when it is inconvenient. That is not who we are. That's not what is necessary to defeat the terrorists.

As President, he talks vaguely about how his team made an "assessment" and that these programs keep people safe, and "in the abstract" people might claim these programs are "Big Brother" but he thinks there's a "balance" to be struck. It's funny how different dictatorial surveillance powers look when you're the guy in charge of them.